With the initial shock and fear now subsided, three important insights should emerge from the February 5, 2021 hacking of the Oldsmar, Florida water treatment facility.
1. Facility control systems should be air gapped.
Every industrial, chemical, water, sewage, or other type of facility that handles hazardous, flammable, or another type of chemical that is expected to directly impact the human population needs two separate network systems (at a minimum). The first network system can be a traditional data storage/IT/communications system for employees to perform traditional office-type functions on securely managed endpoints and devices. This network is connected to the internet and perhaps interfaces with third-party platforms.
However, the second network that manages the operational controls and processes for the subject chemical(s) must be physically isolated and air-gapped; meaning that it does NOT connect to the internet or any other device that is connected to the internet. By being air-gapped, the second network becomes nearly impervious to unauthorized access (yes, a flash drive with certain malware could manipulate data with a cell phone and radio signal, but that is extremely abnormal).
For engineers who need both email capability and readability on tanks or wells, those individuals will have two computers or a computer and then a separate monitor that is only connected to the air-gapped network. Approximately a year ago, the Cybersecurity and Infrastructure Security Agency (CISA) published this Alert following a ransomware attack at a U.S. natural gas facility, reminding facility owners to separate IT networks from operational control networks, and to airgap the latter.
2. “Hacking” is getting easier and will be more frequent.
Just like people now watch YouTube videos to learn to change their own oil or replace a shower head, wannabe hackers can purchase “hacking kits” on the internet. Whether the devious individual wants to target iOS v. Android operating systems, launch a phishing campaign, or just download a password cracking software, the costs are minimal. For example, Hashcat, a password breaking software is free, fun to play with, and effective (it was research!). And with social security numbers for sale for pennies on the dark web, it is tempting for those with criminal tendencies to test their technical prowess for a larger return. Therefore, expect the frequency of these types of events to increase. It is not as though societal reliance on smart phones, television applications, or social media is dying.
3. We (all Citizens) got lucky.
Everyone, most notably the citizens of Oldsmar, were lucky that the hackers targeted a water treatment facility (and that an operator was watching his/her monitors so closely). In certain areas of the country, the biggest fear is a hacker altering a key condition within a pipeline that may cause a chain of explosions across the U.S. And, unfortunately, this is real possibility. With approximately 2.7 million miles of pipeline transporting natural gas, oil, and other hazardous liquids across the nation, the immediate threat to public safety caused by a successful hacker is exponentially magnified.
The Transportation Security Administration (TSA) was previously tasked with primary federal oversight and responsibility for the physical security and cybersecurity of the U.S. pipeline system. Other private sector and publicly owned pipeline operators are responsible for implementing asset-specific protective security measures.
Like other government programs, the TSA’s Pipeline Security and Incident Recovery Protocol Plan, which included cybersecurity incident response, was last issued in March 2010. Thus, it was 8 years old before the Department of Homeland Security (now CISA) took over and created the Pipeline Cybersecurity Initiative (PCI). And while PCI aims to help pipeline owners and operators prepare for, respond to, and mitigate significant cyber events, it first must build public-private sector trust and coordinate security management. Thus, CISA must overcome at least an 8-year delay, in addition to disjointed ownership, in securing U.S. pipelines from hackers.